You Can’t Secure 100% of Your Data 100% of the Time

Executive Summary

Investing in all the traditional security in the world to prevent your website from having vulnerabilities will not help if your users’ own bad habits of reusing passwords results in cybercriminals being able to log in to your application just like those users. Corporations are spending massive resources educating their workforces on the dangers of clicking on untrusted links in emails and text messages, but it’s all but impossible to make 100% of your employees 100% perfect at detecting phishing attempts 100% of the time. This means that it’s just a matter of time and effort for a dedicated attacker to gain access to almost any corporate network. The long-term answer to cybersecurity lies in dividing what cybersecurity challenges should be the individual responsibility of companies from what should come from platforms and services that take responsibility for foundational security. This model allows technology and service providers to make not only necessary, but extraordinary R&D investments to create the best possible security capabilities and practices for all companies.

HBR STAFF

Over three billion credentials were reported stolen last year. This means that cybercriminals possess usernames and passwords for more than three billion online accounts. And that’s not just social media accounts; it’s bank accounts, retailer gift card accounts with cash and credit cards attached, airline loyalty accounts with years of accumulated frequent flyer points, and other accounts with real value.

This statistic is alarming, but in fact it significantly understates the scope of the threat. Because of a form of attack called credential stuffing, tens of billions of other accounts are also at risk. Here’s how that attack works. Because most people have many online accounts (a recent estimate put it at 191 per person on average) they regularly reuse passwords across those accounts. Cybercriminals take advantage of this. In a credential stuffing attack, they take known valid email addresses and passwords from one website breach—for example, the Yahoo breach—and they use those same email addresses and passwords to log in to other websites, such as those of major banks.

This represents a completely different type of threat than what the security industry has been prepared for in the past. Investing in all the traditional security in the world to prevent your website from having vulnerabilities will not help if your users’ own bad habits of reusing passwords results in cybercriminals being able to log in to your application just like those users.

Insight Center

Our network statistics at Shape Security show that a typical credential stuffing attack has up to a 2% success rate on major websites. In other words, with a set of 1 million stolen passwords from one website, attackers can easily take over 20,000 accounts on another website. Now multiply those numbers by the total number of websites where users have reused their passwords, as well as the number of data breaches that have been reported, to get a better sense of the threat. Of course, that still only includes the data breaches we know about. And new research from Google indicates that phishing may be an even larger source of stolen passwords than data breaches, making the scope of the problem even larger.

So what needs to change? Cybersecurity teams are working hard to address this problem, of course. Two-factor authentication (where, in addition to your password, you must also enter a code sent to your mobile device to log in to a website) helps. Unfortunately, it has extremely low adoption rates since users find it inconvenient and websites that serve consumers are unwilling to make it a mandatory component of logging in. User education is a long-term industry effort, but educating a society and then creating consistent behavior change is a multi-decade solution to a problem that needs to be fixed now.

A similar problem exists with phishing. Corporations are spending massive resources educating their workforces on the dangers of clicking on untrusted links in emails and text messages, but it’s all but impossible to make 100% of your employees 100% perfect at detecting phishing attempts 100% of the time. This means that it’s just a matter of time and effort for a dedicated attacker to gain access to almost any corporate network.

Companies engage in a repeating cycle of building new services, experiencing public security incidents on them, and then implementing new security controls and protocols, which appear effective—until they are not. One fundamental problem with this repeating cycle is that there is too much “attack surface” for most organizations to defend without unrealistic levels of investment. This means there are too many ways that an attacker can take advantage of any part of the technology infrastructure in most companies to breach them or create harm.

Large enterprises typically operate dozens of security products with growing headcount in all areas of their security organizations. These teams are constantly learning new products, trying to keep up-to-date with new types of attacks, and patching their infrastructure for newly disclosed vulnerabilities. These systems and processes generate more data and work than most teams can process efficiently, which creates predictable rates of success for ROI-driven attackers engaged in schemes like credential stuffing.

The current state of affairs in corporate cybersecurity is similar to how most organizations used to approach much of their IT operations, prior to the advent of public cloud infrastructure. Jeff Bezos has said that the purpose of Amazon Web Services (AWS) was to remove the burden of “undifferentiated heavy lifting” that companies needed to constantly perform to operate their IT infrastructure. The market has validated this value proposition: AWS reported this year that their revenue grew 42% to $4.1B for the second quarter while Microsoft’s cloud business, Microsoft Azure, grew an astonishing 93%.

This same principle is even more important for cybersecurity. Because cybersecurity is so complicated and attacks change so rapidly, it’s untenable to expect every organization in every industry to invest the time and resources to stay ahead of sophisticated cybercriminals. There is also a revolving door of security products they must select, deploy, and ultimately decommission on a regular basis. One chief information security officer of a Fortune 500 company told me that he now asks new security vendors not only how long it takes to deploy their product, but how long it takes to “un-deploy” it, since he expects to only use any new security product for about two years. Clearly, this methodology is not working, as exemplified by the accelerating series of data breaches, fraud attacks, and other security incidents that have been announced over the last decade.

The answer is for companies to approach the problem differently — to improve the efficacy of the entire system. There are examples of such systemic improvements that we can find in other fields. One of the most successful public health interventions of all time was the addition of iodine to salt since 1924. Humans need iodine in their diets, but it’s next to impossible to get enough people to consistently alter their diets to ensure they get enough iodine. Instead of trying to change all of society’s behavior, the system itself was altered to correct the problem more or less invisibly. That doesn’t mean we don’t have public health campaigns and an individual responsibility to eat well and exercise, but it does mean most people don’t have to worry about iodine deficiency anymore.

Similarly, the long-term answer to cybersecurity lies in dividing which cybersecurity challenges should be the responsibility of individual companies from which should come from platforms and services that take responsibility for foundational security. This model allows technology and service providers to make not only necessary, but extraordinary R&D investments to create the best possible security capabilities and practices for all companies. A platform provider spending $1B and hiring from the top of the security talent pool to provide shared capabilities to 100 companies produces far more benefit than those 100 companies spending $100M each on the same “undifferentiated heavy lifting”.

This doesn’t mean that cybersecurity and fraud teams within corporations will shrink or go away—far from it. In fact, cybersecurity has become, and going forward will always be, an issue where even CEOs and boards will be held accountable, so major internal investments are guaranteed. But instead of those teams engaging in the same commoditized activities as the cybersecurity teams in every other organization, they will be able to specialize in those aspects that are unique to their business and leverage their improved expertise to create greater impact in their work.

So will the combination of more effective cybersecurity teams using platforms with foundational cybersecurity built-in provide 100% security? Certainly not. The only way to absolutely guarantee the security of any system is to shut down that system. Instead, practical security is about tradeoffs and ROI. By making a carefully considered distinction between individual corporate responsibilities and platform responsibilities, each can invest more effectively, and we can provide the most security, for the greatest number of users, the vast majority of the time.

Shuman Ghosemajumder is Chief Technology Officer at Shape Security, which protects banks, airlines, government agencies, and other industries against cyberattacks on their web and mobile applications. He previously led global product management for click fraud at Google.